On October 16, 2018, the Securities and Exchange Commission (SEC) issued a report on the results of investigations made by the SEC’s Division of Enforcement into nine public companies that were victims of cyber-related frauds. In each case, the SEC investigation focused on whether the target companies had complied with the applicable requirements of the Securities Exchange Act of 1934, as amended (Act). The Act requires public companies to devise and maintain a system of internal control over financial reporting designed to provide reasonable assurance that, among other things, transactions are executed in accordance with company management’s authorization, that transactions are properly recorded and that access to assets is permitted only with management’s authorization.
Ultimately, the SEC did not pursue enforcement actions against any of these companies, but released the report to advise public companies that cyber-fraud incidents must be taken into account when designing and maintaining internal control procedures.
The nine investigated companies represented a wide range of industries, but each had substantial revenues and securities that were listed for trading on a national securities exchange. The report did not identify the companies by name. Each investigated company lost at least $1 million as a result of cyber-frauds involving spoofed or compromised emails purporting to be from company executives or vendors. Two of the nine companies lost more than $30 million as a result of these frauds.
Of the two types of email frauds, the SEC noted that those involving spoofed executive emails were not technologically sophisticated frauds – they typically only required creating an email address that mimicked the executive officer’s actual email address. In these cases, the spoofed email directed the targeted company’s finance personnel to work with an outside attorney identified in the message, who would then direct the company employee to transfer large sums of money by wire to foreign bank accounts controlled by the perpetrators of the frauds. The SEC noted some threads common to each fraud, including alleged time sensitivity, claims of government oversight or involvement and a need to transact business or make acquisitions in foreign countries.
The other type of fraud – emails from vendors – was more technologically sophisticated because it involved the hacking of email accounts of the targeted company’s foreign vendors. The perpetrators of the fraud would then request payment on behalf of the company’s actual vendor, but direct payment to accounts controlled by the perpetrators, rather than the actual vendors. This type of fraud, according to the SEC’s report, contained fewer hints of illegitimacy and threw up fewer red flags.
The report restated and underlined the SEC’s position, which had been most recently stated in February 2018, when the SEC released its guidance on cybersecurity disclosures, that internal controls must reasonably safeguard the company from cyber-related fraud in order to be effective under the law. That is, while the fraudulent schemes involved electronic communications and technology, ultimately, it was weaknesses in policies and procedures and human vulnerabilities that made the targeted companies’ internal controls ineffective.
Accordingly, all public companies should reassess their internal accounting controls as a result of these and other cyber-related risks, and make any changes and adjustments that are needed. Companies that do not do this may risk not only losing millions of dollars as a result of fraud, but may also face liability under the securities laws for having inadequate and ineffective internal accounting controls.